Systemic Analyser In Network Threats
This work is performed within the SAINT Project (Systemic Analyser in Network Threats), with the support of the European Commission and the Horizon 2020 Program, under Grant Agreement No 740829.
Computer Technology Institute“DIOPHANTUS”
SAINT: Mapping the Cybercrime
Vasileios Vlachos: vsvlachos :https://www.linkedin.com/in/vsvlachos/ :https://vsvlachos.blogspot.gr/
Systemic Analyser In Network Threats
What is the Cost of Cybercrime?
• What is the value of our digital assets? How can we accurately measure the cost of cybercrime?
• After a hack most victims tend to underestimate the damage, but most security firms usually overestimate losses
• Estimate the strength of a security technology by learning what cybercriminals are willing to pay to bypass it and / or obtain the data
Systemic Analyser In Network Threats
SAINT CyberCrime Observatory – SCCO
• Create a pricelist – stock list of various digital goods
• Monitor price fluctuations
• Detect outliers
• Check cross-correlations and cross impacts between
different indexes
• Raise alarms and provide early warning notifications
• Provide input for the economic analysis module
Systemic Analyser In Network Threats
Deep Web
A Deep Web Crawler (DWC): • Automatic Data Collection when
possible o More challenging than the a simple
Web Crawler
Analysis of Black Markets:• Automatic via DWC• Manual (Designated Researchers)• Archives (TBs of data already
available)
World Wide Web
Open Source Intelligence (OSINT): • Malware• Bug Bounties• Search Engines• Security Updates• Spam• Vulnerabilities
Systemic Analyser In Network Threats
Deep Web Crawler
• Two different instances:• Clearnet Crawler tool
• Deep & Dark Web Crawler tool
• Clearnet Crawler sub-instances: some of the ENISA TOP 15 threats (Malware,
Botnets, Spam, Phishing, DDoS, Web Based Attacks, Ransomware)
Bug Bounties (prices, entities)
• Deep & Dark Crawler sub-instances:• Vulnerability Markets
• Cybercrime activity
Tor related usage information 5
Systemic Analyser In Network Threats
SAINT CyberCrime Metrics: UndergroundDark Market Analysis
• Stolen Data:o Hacked Accountso Credit Cards
• CaaS: Crime as a Service:o Botnets o Spam o Hackers for hireo Malwareo Bulletproof providerso Pharma programs
• General Black Market Activity:o Postso Members
Deep Web Probes
Online:• Markets• Forums• Vendor Shops
Offline:• Cybercrime
Statistical Data • Archived of
Black Markets
Systemic Analyser In Network Threats
SAINT CyberCrime Metrics: Malware
• New malware strains (AV effectiveness)
• Price of custom malware (AV effectiveness & OS Security)
• Number of new signatures (AV effectiveness)
• Safe Browsing blacklists (AV effectiveness & Browser Security)
• Malware hosting domains (AV effectiveness & Web Server Security)
• Top Malware lists – phylogenetic models (AV effectiveness)
• Number of AV solutions (AV effectiveness)
• Number of new IDS rules (new attacks)
Systemic Analyser In Network Threats
• Spamlists: blocked domains / IPs (spamfilterseffectiveness)
• Spam merchandise pricelist: drugs, software, replicas (anticounterfightsolutions)
• Spam keywords blacklists (spamfilters effectiveness)
• Spam honeypots (spamfilters effectiveness)
SAINT CyberCrime Metrics: Spammers
Systemic Analyser In Network Threats
Google Hacking Results: Automatic queries (time normalized)“…asslistpasslist.txt (a better way) passwdpasswd / etc (reliable) people.lstpsyBNC config files pwd.dbserver-dbs "intitle:index of" signin filetype:urlspwd.db / passwdfiletype:sql "insert into" (pass|passwd|password) filetype:sql ("values * MD5" | "values * password" | "values * encrypt") filetype:sql +"IDENTIFIED BY" -cvsfiletype:sql password filetype:url +inurl:"ftp://" +inurl:";@" filetype:xls username password email htpasswdhtpasswd / htgrouphtpasswd / htpasswd.bakintext:"enable password 7" intext:"enable secret 5 $" …/”
SAINT CyberCrime Metrics: Search Engines
Shodan Hacking Results: “…• apache city:”Berlin”• nginx country:"DE”• Apache city:”Brussels"
port:"8080" product:"ApacheTomcat/Coyote JSP engine”
• "Server: gws" hostname:"google”
• cisco net:”195.170.0.0/24"
Systemic Analyser In Network Threats
SAINT CyberCrime Metrics: Trends
Systemic Analyser In Network Threats
SAINT CyberCrime Metrics: Applications
• New security updates && patches && bugfixes
• Number of vulnerabilities && bugs && exploits
• Security Contests ($$$)
• Bug bounties ($$$)
• 0-days pricelist ($$$)
• Minor application versions aa.bb
Systemic Analyser In Network Threats
ENISA Top 15 Indicators (2017)1. Malware
2. Web-based attacks
3. Web application attacks
4. Phishing
5. Spam
6. Denial of Service
7. Ransomware
8. Botnets
9. Insider threat
10. Physical manipulation/damage/theft/loss
11. Data Breaches
12. Identity Theft
13. Information leakage
14. Exploit kits
15. Cyber-Espionage 12
Systemic Analyser In Network Threats
Web Based Attacks I: http://lists.blocklist.de/lists/all.txt
Server content List of IPs scraped
13
JSON formatted document objects
Web Based Attacks II: http://feeds.dshield.org/block.txt -
page infoscraping content
Systemic Analyser In Network Threats
DDoS: https://www.exploit-db.com/google-hacking-database/12/
main page
scraping for further information of each threat instance
14
JSON formatted document objects
main page
Phishing: https://www.phishtank.com/scraping for further information of each threat instance
JSON formatted document objects
Systemic Analyser In Network Threats
Malware: https://mirror.uce.edu.ec/malwaredomains/ -
15JSON formatted document objects
Botnets: http://osint.bambenekconsultingcom/feeds/c2-ipmasterlist.txt
Systemic Analyser In Network Threats
SAINT – Threats database collections -MongoDB (NoSQL schema database &JSON Big Data)
16
Systemic Analyser In Network Threats
Social Network Analysis (SNA):
Twitter hastags frequency monitoring: #bugs #bounties #malware#hacking #spam #osint #deepweb #darkmarket #vulnerability #0day#apt #rat #bot #c&c #zombiepc #exploit #carders #phising #ddos#stressers #backfoor #logicbomb #dox #shell #blackhat #spoof#socialengineer #trojan #rawsomware #crimeware #resolver#scriptkiddie #root #rootkit #deface #XSS #SQLinjection#bufferoverflow #hactivism
SAINT CyberCrime Metrics: Social Networks
Systemic Analyser In Network Threats
Cybersecurity Social Network Analyzer - CSNA
18
Systemic Analyser In Network Threats
19
SAINT CyberCrime Metrics: Global Security Maphttp://globalsecuritymap.com/#
Systemic Analyser In Network Threats
• A SAINT CyberCrime Observatory for European citizens, stakeholders, legislators, security researchers, scientists and law enforcement officers
• Basic Early Warning Services for imminent threats
• A toolbox of methodologies and prototype applications to analyze ΙΤsecurity trends and cybercrime activity
• A set of cybercrime metrics to evaluate the financial impact of existing cybersecurity technologies
SAINT CyberCrime Metrics: Outcomes
Systemic Analyser In Network Threats
Saint EU Project Home: https://project-saint.eu/
21
https://vimeo.com/246975321
Systemic Analyser In Network Threats
22
Q&AVasileios Vlachos
Assistant Professor
Department of Computer Science and Engineering
Technological Educational Institute (TEI) of Thessaly
: vsvlachos :https://www.linkedin.com/in/vsvlachos/ :https://vsvlachos.blogspot.gr/